5 Replies Latest reply on Apr 14, 2010 9:38 AM by Mal09

    Virus Scan 8.7 failed to detect eicar in a folder (not detecting viruses)

    babatola

      This was conducted in a test environment, but it has proved right a lot of accusations that mcafee does not detect malware.

       

      I created a test folder on the c drive. I excluded the test folder from being scanned, this was to enable me COPY the eicar file to the test folder.

       

      I REMOVED test folder the exclusion list and i played out the following scenarios:

       

      1. I downloaded the file again, to a different folder this time: Mcafee Virsuscan detected the file

       

      2. I copied the eicar file from the test folder to a different server: Mcafee Virusscan detected and removed the file from source folder and destination folder

       

      However, when i browse to the test folder where you have the eicar file, i wonder why mcafee virusscan does not detect the file. even when i move out of the folder and re-access the folder again, the eicar file is untouched.

       

      I have a problem here because, i expect OAS to detect malicious files as i access folders, apparently that is not the case, it only detects the file when the file is accessed or tried to be copied. this is reactive too too reactive.

       

      Why should a malicious file sit in a folder i access without mcafee detecting it......i believe the behaivour of virus scan should seriously be looked into or is there a setting i am missing here!!!!!!!!!!!!!

       

       

      Users keeping complaining of viruses in usb sticks which mcafee fail to detect.....this is because as long as they access the folder the virus/malware remains not until the file itself is accessed......I sincerely wish there is an explanation for this......and please i do not need to initiate a scan before the virus is detected... i am accessing the folder and i believe OAS should take care of issues here!!!!!!!!!

       

      Any explanation on this?

        • 1. Re: Virus Scan 8.7 failed to detect eicar in a folder (not detecting viruses)

          I don't know what your settings are but it sounds like maybe you are only set to scan on write and not on read?

           

          Andrew

          • 2. Re: Virus Scan 8.7 failed to detect eicar in a folder (not detecting viruses)

            I'm pretty sure the behavior you describe is true for all antivirus products.  If they scanned every file in a folder whenever you looked at a folder, it would take forever to look at folders in explorer.  Imagine a folder on a server with several thousand files of many megabytes each...

             

            Jay

            1 of 1 people found this helpful
            • 3. Re: Virus Scan 8.7 failed to detect eicar in a folder (not detecting viruses)

              babatola,

               

              I gues you have included the solution in your statement :-

               

              I created a test folder on the c drive. I excluded the test folder from being scanned, this was to enable me COPY the eicar file to the test folder.

               

              The only reason VSE did not detect the EICAR fiel is because you have added the TEST folder as an Exception and rightly so, VSE will not bother whatever happens it it. However, You did find out that once you copied or moved the file from TEST folder to any other folder, It did remove it.

               

              I think that sums it up !!!

               

              Just a thought, An Antivirus is out there to help the user stay protected. If I, as a user start  making an exception and still expect the AV to find the malicious content, It is a little unfair on my part to expect so. Also, No AV provides a guranteed 100% protection against malware. User discretion is certainly critical .

               

               

              Thank you

               

               

              Sameer

              • 4. Re: Virus Scan 8.7 failed to detect eicar in a folder (not detecting viruses)
                babatola

                Sameer.

                 

                Thanks for the response, but all the same you missed my line where I said: "I REMOVED the folder from the exclusion. the folder was excluded to copy the eicar file across, afterwards I removed it from the exclusion list to perform the test. So I am not being jugdemental of the technology, it is a technology i support. I only want it to improve.

                 

                Jay,

                 

                You have a great point there and I thought as much too. But my point is should it really be like that? I mean this is a potential malicious file sitting free in the folder......Could there not be a light scan that frequently scan all contents of the folder, when the folder is read.

                 

                Andy,

                 

                Well my scan settings were set to read and write on the On Access Scan settings

                • 5. Re: Virus Scan 8.7 failed to detect eicar in a folder (not detecting viruses)

                  This is by design I believe. When a folder is accessed, unless other applications read the files, McAfee will not detect threats.

                   

                  For example, upon opening a folder, Explorer will check certain files to find their icon. In this case, because Explorer is reading a file, then a threat will be detected.

                   

                  There are several reasons why things are done this way:

                  - The on-Acess scanner will detect a threat when a file is executed/read, so that ensures that known malware is not run on a machine.

                  - The additional overhead to scan all files upon folder opening is problematic, and would be a source of many customer complaints.

                   

                  An ideal compromise that McAfee should be implementing is an option for "Scan USB drives on attach" (or similar), where a scan of the drive is done when a USB key is attached. This also has potential consequences - for example if someone was to attach a 200Gb External Drive that is filled to the brim with files....

                   

                  So I suppose with the information above, I am curious what you perceive the threat to be, and how things should be managed to both ensure performance is acceptable and risks are mitigated.

                   

                   

                  Message was edited by: Mal09 on 14/04/10 14:38:26 GMT